04-06-2022 05:35 AM
The native supplicant is configured for PEAP and MSCHAPV2. the authentication method is user or computer authentication. verify server identity is also checked and we use ISE self signed certificate. it authentication successfully at first but after a restart it fails. to make it successfull we must unplug and plug the cable or disable and enable network adapter. The RADIUS log in ISE shows 15039 Rejected per authorization profile. here below is the configuration on the switch. what did i miss?
The configuration on the switch
Global Config
aaa new-model
aaa group server radius RADIUS_GROUP
aaa authentication dot1x default group RADIUS_GROUP
aaa authorization network default group RADIUS_GROUP
aaa authorization auth-proxy default group RADIUS_GROUP
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group RADIUS_GROUP
aaa server radius dynamic-author
aaa session-id common
interface config
authentication event fail action next-method
authentication event server dead action reinitialize vlan 650
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
I have run the test command
test aaa group RADIUS_GROUP testuser test password new-model
and it returns User successfully authenticated.
Solved! Go to Solution.
04-06-2022 06:47 AM
"Users who fail authentication remain in the restricted VLAN until the next re-authentication attempt. A port in the restricted VLAN tries to re-authenticate at configured intervals (the default is 60 seconds). If re-authentication fails, the port remains in the restricted VLAN. If re-authentication is successful, the port moves either to the configured VLAN or to a VLAN sent by the RADIUS server. You can disable re-authentication. If you do this, the only way to restart the authentication process is for the port to receive a link down or EAP logoff event. We recommend that you keep re-authentication enabled if a client might connect through a hub. When a client disconnects from the hub, the port might not receive the link down or EAP logoff event."
Solution is re-auth command,
try add it in one interface monitor interface&client and then apply to all other interface.
04-06-2022 05:54 AM
I think the issue that the Client not send EAP-Logoff are this client is Win10?
04-06-2022 06:15 AM
Yes. Windows 10 version 21H2
04-06-2022 06:47 AM
"Users who fail authentication remain in the restricted VLAN until the next re-authentication attempt. A port in the restricted VLAN tries to re-authenticate at configured intervals (the default is 60 seconds). If re-authentication fails, the port remains in the restricted VLAN. If re-authentication is successful, the port moves either to the configured VLAN or to a VLAN sent by the RADIUS server. You can disable re-authentication. If you do this, the only way to restart the authentication process is for the port to receive a link down or EAP logoff event. We recommend that you keep re-authentication enabled if a client might connect through a hub. When a client disconnects from the hub, the port might not receive the link down or EAP logoff event."
Solution is re-auth command,
try add it in one interface monitor interface&client and then apply to all other interface.
04-06-2022 06:52 AM
can you share the command?
04-06-2022 07:00 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: